New Rules Deployed

August 11th, 2023


Windows/Network Connection:

  1. Connection Initiated Via Certutil.EXE
  2. Equation Editor Network Connection
  3. Download a File with IMEWDBLD.exe
  4. Communication To

Windows/System or Application/Service Control Manager:

  1. Suspicious Service Installation Script
  2. Turla PNG Dropper Service
  3. CobaltStrike Service Installations – System
  4. Windows Defender Threat Detection Disabled – Service
  5. Service Installation
  6. Invoke-Obfuscation Obfuscated IEX Invocation – System
  7. Invoke-Obfuscation STDIN+ Launcher – System
  8. Invoke-Obfuscation VAR+ Launcher – System
  9. Anydesk Remote Access Software Service Installation
  10. Hacktool Service Registration or Execution

Drive Load:

  1. Usage Of Malicious POORTRY Signed Driver
  2. PowerShell Scripts Run by Services

Azure/Azure Active Directory:

  1. Member Added to Group – Azure AD
  2. Multiple Members Added To Group – Azure AD2

Windows/Image Load:

  1. Suspicious Unsigned Dbghelp-Dbgcore DLL Loaded
  2. PCRE.NET Package Image Load
  3. Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  4. Suspicious Interactive PowerShell as SYSTEM
  5. Suspicious Scheduled Task Write to System32 Tasks
  6. Suspicious Startup Folder Persistence


  1. UEFI Persistence Via Wpbbin – FileCreation
  2. WMI Persistence – Script Event Consumer File Write
  3. Creation of a WerFault.exe in Unusual Folder
  4. UAC Bypass Using Windows Media Player – File
  5. UAC Bypass Abusing Winsat Path Parsing – File
  6. Suspicious Interactive PowerShell as SYSTEM
  7. Suspicious Scheduled Task Write to System32 Tasks
  8. Suspicious Startup Folder Persistence
  9. NPPSpy Hacktool Usage
  10. Powerup Write Hijack DLL


  1. Fortigate Audit – System Changes Outside Working Hours

Windows/Process Creation:

  1. Certificate Exported Via Certutil.EXE
  2. Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  3. Findstr Suspicious ParentCommandLine
  4. Use NTFS Short Name in Image
  5. Sdclt Child Processes
  6. Potential UAC Bypass Via Sdclt.EXE


  1. Potential Registry Reconnaissance Via PowerShell Script
  2. PowerShell Set-Acl On Windows Folder – PsScript
  3. PowerShell Script Change Permission Via Set-Acl – PsScript

365 Defender:

  1. Collection – 365 Defender
  2. Defense Evasion – 365 Defender
  3. Ransomware – 365 Defender
  4. Credential Access – 365 Defender

Web Cache:

  1. Potential CVE-2303-36884 URL Request Pattern Traffic

Pulse Connect Secure@Pulse Secure:

  1. User Connected by VPN Outside Working Hours – Pulse Secure


  1. UAC Bypass via Sdclt

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration